feat(integration): INT-08 Taiga OIDC docker test + CI

Author: RedjiJB

.github/workflows/ci.yml

@@ -235,33 +235,39 @@ run: bash tests/labs/test-lab-15-01.sh
         run: docker compose -f docker/docker-compose.sso.yml down -v
 
   lab-05-smoke:
-    name: Lab 15-05 -- Taiga Advanced Integration (Mattermost Webhook)
+    name: Lab 15-05 -- Taiga Advanced Integration (INT-08 Taiga<->Keycloak OIDC + LDAP)
     runs-on: ubuntu-latest
     needs: validate
     continue-on-error: true
     steps:
       - uses: actions/checkout@v4
 
       - name: Install tools
-        run: sudo apt-get install -y curl postgresql-client netcat-openbsd ldap-utils
+        run: sudo apt-get install -y curl postgresql-client netcat-openbsd ldap-utils python3
 
       - name: Validate integration compose
         run: docker compose -f docker/docker-compose.integration.yml config -q && echo "Integration compose valid"
 
       - name: Start integration stack
         run: docker compose -f docker/docker-compose.integration.yml up -d
 
-      - name: Wait for WireMock
-        run: timeout 90 bash -c 'until curl -sf http://localhost:8761/__admin/health; do sleep 5; done'
-
       - name: Wait for PostgreSQL
         run: timeout 120 bash -c 'until docker exec taiga-i05-db pg_isready -U taiga > /dev/null 2>&1; do sleep 5; done'
 
+      - name: Wait for OpenLDAP
+        run: timeout 120 bash -c 'until docker exec taiga-i05-ldap ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapLab05! > /dev/null 2>&1; do sleep 5; done'
+
+      - name: Wait for LDAP seed to complete
+        run: timeout 120 bash -c 'until docker inspect taiga-i05-ldap-seed --format "{{.State.Status}}" 2>/dev/null | grep -q exited; do sleep 5; done'
+
       - name: Wait for Keycloak
-        run: timeout 300 bash -c 'until curl -sf http://localhost:8540/realms/master; do sleep 10; done'
+        run: timeout 300 bash -c 'until curl -sf http://localhost:8540/health/ready | grep -q UP; do sleep 10; done'
+
+      - name: Wait for WireMock
+        run: timeout 90 bash -c 'until curl -sf http://localhost:8761/__admin/health; do sleep 5; done'
 
       - name: Wait for Taiga Back
-        run: timeout 300 bash -c 'until curl -sf http://localhost:8041/api/v1/ | grep -q version; do sleep 15; done'
+        run: timeout 300 bash -c 'until curl -sf http://localhost:8041/api/v1/ > /dev/null 2>&1; do sleep 15; done'
 
       - name: Run Lab 15-05 test script
         run: bash tests/labs/test-lab-15-05.sh --no-cleanup

docker/docker-compose.integration.yml

@@ -2,17 +2,19 @@
 # IT-Stack: Taiga — Lab 05: Advanced Integration
 # Module 15 · Phase 4 · Lab 05
 # =============================================================================
-# Services: PostgreSQL · Redis · OpenLDAP · Keycloak · WireMock (Mattermost-mock)
+# Services: PostgreSQL · Redis · OpenLDAP · LDAP-Seed · Keycloak · WireMock
 #           Mailhog · Taiga Backend · Taiga Frontend
 # Ports:    Frontend:8440  Backend:8041  WireMock:8761  KC:8540  LDAP:3885  MH:8740
 # Credentials:
 #   DB:       taiga / TaigaLab05!
 #   Keycloak: admin / Admin05!
-#   LDAP:     cn=admin,dc=lab,dc=local / LdapLab05!
+#   LDAP:     cn=admin,dc=lab,dc=local / LdapLab05!    readonly: ReadOnly05!
+#   LDAP users: taigaadmin/taigauser1/taigauser2  pw: Lab05Password!
 # What's new vs Lab 04:
-#   + WireMock 3.x simulates Mattermost API (webhooks, DMs)
-#   + Taiga back configured with MATTERMOST_URL for project notifications
-#   + Integration tested: Taiga → Mattermost webhook (project events)
+#   + INT-08 Keycloak OIDC SSO for Taiga (taiga-contrib-oidc-auth)
+#   + LDAP seed init container (taiga-i05-ldap-seed) — FreeIPA-style tree
+#   + KC depends on seed exit; OIDC client "taiga" configured in realm
+#   + OIDC_DISCOVERY_URL env var added to Taiga Back for Ansible provisioner
 # =============================================================================
 
 name: it-stack-taiga-lab05
@@ -94,6 +96,26 @@ services:
           memory: 256M
           cpus: "0.25"
 
+  # ── LDAP Seed (init container) ────────────────────────────────────────────
+  taiga-i05-ldap-seed:
+    image: osixia/openldap:1.5.0
+    container_name: taiga-i05-ldap-seed
+    entrypoint: ["/bin/sh", "-c"]
+    command:
+      - |
+        sleep 5
+        ldapadd -x -H ldap://taiga-i05-ldap:389 \
+          -D cn=admin,dc=lab,dc=local -w LdapLab05! \
+          -f /seed/taiga-ldap-seed.ldif && echo "LDAP seed complete" || echo "LDAP seed already exists (idempotent)"
+    volumes:
+      - ./taiga-ldap-seed.ldif:/seed/taiga-ldap-seed.ldif:ro
+    depends_on:
+      taiga-i05-ldap:
+        condition: service_healthy
+    networks:
+      - taiga-i05-net
+    restart: "no"
+
   # ── Keycloak ───────────────────────────────────────────────────────────────
   taiga-i05-kc:
     image: quay.io/keycloak/keycloak:24.0.3
@@ -116,6 +138,9 @@ services:
       timeout: 10s
       retries: 20
       start_period: 30s
+    depends_on:
+      taiga-i05-ldap-seed:
+        condition: service_completed_successfully
     networks:
       - taiga-i05-net
     deploy:
@@ -193,6 +218,7 @@ services:
       KEYCLOAK_REALM: it-stack
       KEYCLOAK_CLIENT_ID: taiga
       KEYCLOAK_CLIENT_SECRET: TaigaKCSecret05!
+      OIDC_DISCOVERY_URL: http://taiga-i05-kc:8080/realms/it-stack/.well-known/openid-configuration
       LDAP_SERVER: taiga-i05-ldap
       LDAP_PORT: "389"
       LDAP_BASE_DN: dc=lab,dc=local

docker/taiga-ldap-seed.ldif

@@ -0,0 +1,79 @@
+# taiga-ldap-seed.ldif — INT-08 Taiga LDAP seed data
+# FreeIPA-style tree: cn=accounts, cn=users/groups inside it
+# Users: taigaadmin, taigauser1, taigauser2 (pw: Lab05Password!)
+# Groups: cn=admins (taigaadmin), cn=taiga-users (taigauser1, taigauser2)
+
+dn: dc=lab,dc=local
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: IT-Stack Lab
+dc: lab
+
+dn: cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: organizationalUnit
+ou: accounts
+
+dn: cn=users,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: organizationalUnit
+ou: users
+
+dn: cn=groups,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: organizationalUnit
+ou: groups
+
+# ── Users ─────────────────────────────────────────────────────────────────────
+
+dn: uid=taigaadmin,cn=users,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+uid: taigaadmin
+cn: Taiga Admin
+sn: Admin
+givenName: Taiga
+mail: taigaadmin@lab.local
+userPassword: Lab05Password!
+
+dn: uid=taigauser1,cn=users,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+uid: taigauser1
+cn: Taiga User1
+sn: User1
+givenName: Taiga
+mail: taigauser1@lab.local
+userPassword: Lab05Password!
+
+dn: uid=taigauser2,cn=users,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+uid: taigauser2
+cn: Taiga User2
+sn: User2
+givenName: Taiga
+mail: taigauser2@lab.local
+userPassword: Lab05Password!
+
+# ── Groups ────────────────────────────────────────────────────────────────────
+
+dn: cn=admins,cn=groups,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: groupOfNames
+cn: admins
+member: uid=taigaadmin,cn=users,cn=accounts,dc=lab,dc=local
+
+dn: cn=taiga-users,cn=groups,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: groupOfNames
+cn: taiga-users
+member: uid=taigauser1,cn=users,cn=accounts,dc=lab,dc=local
+member: uid=taigauser2,cn=users,cn=accounts,dc=lab,dc=local